By Malcolm Owen
Thursday, August 08, 2019, 02:27 pm PT (05:27 pm ET)
Security researchers were able to bypass Face ID’s “liveness” detection on the iPhone and iPad Pro with everyday items, defeating what is considered the industry’s most advanced biometric security system using little more than a pair of glasses with tape affixed to the lenses.
When Apple debuted Face ID during the iPhone X’s unveiling in 2017, it was claimed that the technology had a one-in-a-million chance of being unlocked by a random person, a marked improvement over Touch ID’s 1 in 50 thousand false positive chance. The high profile nature of the security system has led to attempts by security researchers to defeat it, but at the Black Hat conference, Face ID appears to be susceptible to one relatively simple technique.
Demonstrated on Wednesday, ThreatPost reports researchers from Tencent took advantage of the “liveness” detection of Face ID, which is used to confirm the person it is looking at is real and not a mask or someone wearing prosthetics. By detecting background noise, distortions in response, and focus blur, biometrics tools like Face ID can determine if it is looking at a genuine face, not a manufactured version.
Liveness detection is one of many underlying technologies that make Face ID more effective and accurate than competing solutions used to secure Android devices.
The liveness detection also prevents Face ID from being used when the registered owner is asleep, in theory stopping attackers from simply pointing the TrueDepth camera at the face of an unconscious user. Researchers discovered that Face ID changes its scan process when a target is wearing glasses.
“After our research we found weak points in Face ID, it allows users to unlock while wearing glasses,” Tencent’s Zhuo Ma advised. “If you are wearing glasses, it won’t extract 3D information from the eye area when it recognizes the glasses.”
The researchers created the “X-glasses” prototype, namely glasses blacked out with white tape then overlaid with black tape. By placing the glasses on the victim, Face ID was able to be unlocked and money to be authorized for transfer within a financial app.
While the theory is sound in that it can defeat Face ID, the attack is only really useful against unconscious victims, requiring both physical access and the tricky move of placing glasses on their face without waking them up.
The researchers propose adding extra elements to biometric systems, including identity authentication and changing the weighting of video and audio synthesis detection to better improve liveness detection systems.
Tencent is not the first to claim success in defeating Face ID. Shortly after iPhone X saw release, a Vietnamese firm tricked the security feature using a 3D-printed mask with attached silicone nose, makeup and “specially processed” areas. The same company replicated the bypass with a $200 3D printed mask that incorporated 2D infrared images.
Face ID can in remote cases be fooled by family members who bear a close resemblance to the device owner.
More recently, a Chinese researcher from Ant Financial was poised to present an easy bypass of the biometric security protocol at a Black Hat conference in January, but canceled at the last minute after his company characterized the talk as “misleading.”